Top 5 Priorities to Prepare for EU GDPR

50% of organizations will fail to comply with GDPR.

When the European General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, its impact will extend beyond the borders of the European Union (EU). It will apply to all companies processing and holding the personal data of EU residents, regardless of the company’s location.

“The GDPR will affect not only EU-based organizations, but many data controllers and processors around the globe,” said Bart Willemsen, research director at Gartner. “With the renewed focus on individual data subjects and the threat of fines of up to €20 million or 4% of annual global turnover for breaching GDPR, organizations have little choice but to re-evaluate measures to safely process personal data.”

Despite a lot of recent attention around these regulations, Gartner predicts that, on the date of effectuation, more than half of companies affected by the GDPR will not comply fully with its requirements.

Gartner Data & Analytics Summit

Objective insights, strategic advice and practical tools to help data and analytics leaders achieve their most critical priorities

Learn More

Organizations must focus now on five high-priority changes to ensure compliance when GDPR comes into force:

  1. Determine Your Role Under the GDPR
    Any organization that decides on why and how personal data is processed is essentially a “data controller.” Therefore, the GDPR applies not only to businesses in the EU, but also to all organizations outside the EU that are processing personal data for the offering of goods and services to the EU, or that are monitoring the behavior of data subjects within the EU. These organizations should appoint a representative to act as a contact point for the data protection authority (DPA) and data subjects.
  2. Appoint a Data Protection Officer
    Many organizations will be required to appoint a data protection officer (DPO) as a result of the GDPR. This is especially important when the organization is a public body, is processing operations requiring regular and systematic monitoring, or has large-scale processing activities. “Large scale” does not necessarily mean hundreds of thousands of data subjects — early drafts of the GDPR mentioned the processing of data on more than 5,000 subjects in any 12-month period.
  3. Demonstrate Accountability in All Processing Activities
    Purpose limitation, data quality and data relevance should be decided on when starting a new processing activity, but also applied to existing processing activities. This will help to maintain compliance in future personal data processing activities. Organizations must demonstrate accountability and transparency in all decisions regarding personal data processing activities.“Third-party service providers (i.e. data processors) must also comply, and this will impact an organization’s supply, change management and procurement processes,” explains Willemsen. ”Accountability under the GDPR requires proper data subject consent acquisition and registration. Pre-checked boxes and implied consent will no longer be sufficient. Instead, organizations will be required to implement streamlined techniques to obtain and document consent and consent withdrawal.”
  4. Check Cross-Border Data Flows
    Data transfers to any of the 28 EU member states will still be allowed, as well as to Norway, Liechtenstein and Iceland. Transfers to any of the other 11 countries the European Commission (EC) has deemed to have an “adequate” level of protection will also be possible. Outside of these areas, organizations should use appropriate safeguards, such as Binding Corporate Rules (BCRs) and standard contractual clauses (i.e., “EU Model Contracts”).
  5. Prepare for Data Subjects Exercising Their Rights
    Data subjects have extended rights under the GDPR. These include the right to be forgotten, the right to data portability and the right to be informed (e.g., in case of a data breach, or to receive an explanation, for example in machine learning systems’ automated decision making).

“If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls,” says Willemsen.

Legal disclaimer: The opinions and recommendations in this research should not be construed as legal advice. Gartner recommends that entities subject to legislation seek legal counsel from qualified sources.


Gartner clients can learn more about preparing for EU GDPR in "Focus on Five High-Priority Changes to Tackle the EU GDPR" by Bart Willemsen

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

Gartner IT Roadmap for Cybersecurity: A Resilient Strategy

Gartner IT roadmap for cybersecurity based on unbiased research and...

Learn More


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching